download.lst | 4 - external/nss/UnpackedTarball_nss.mk | 4 + external/nss/macos-dlopen.patch.0 | 25 +++++++++++ external/nss/nss-android.patch.1 | 22 +++++----- external/nss/nss-bz1646594.patch.1 | 16 +++++++ external/nss/nss.bzmozilla1238154.patch | 12 +++++ external/nss/nss.nspr-parallel-win-debug_build.patch | 40 ------------------- 7 files changed, 69 insertions(+), 54 deletions(-)
New commits: commit 38dbbea5993e66eccb2171416c2497393a7eaf6c Author: Michael Stahl <michael.st...@cib.de> AuthorDate: Fri Aug 7 18:57:00 2020 +0200 Commit: Andras Timar <andras.ti...@collabora.com> CommitDate: Wed Aug 19 07:29:11 2020 +0200 nss: upgrade to release 3.55.0 Fixes CVE-2020-6829, CVE-2020-12400 CVE-2020-12401 CVE-2020-12403. (also CVE-2020-12402 CVE-2020-12399 in older releases since 3.47) * external/nss/nss.nspr-parallel-win-debug_build.patch: remove, merged upstream Reviewed-on: https://gerrit.libreoffice.org/c/core/+/100345 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@cib.de> (cherry picked from commit 495a5944a3d442cfe748a3bb0dcef76f6a961d30) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/100420 Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org> (cherry picked from commit 227d30a3a17f2fffb1a166cdc3e2a796bb335214) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/100590 Reviewed-by: Caolán McNamara <caol...@redhat.com> (cherry picked from commit 94cecbfdf3cf01fe3d5658c7edf78696da2a249f) Change-Id: I8b48e25ce68a2327cde1420abdaea8f9e51a7888 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/100864 Tested-by: Michael Stahl <michael.st...@cib.de> Reviewed-by: Michael Stahl <michael.st...@cib.de> Reviewed-on: https://gerrit.libreoffice.org/c/core/+/100903 Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com> Reviewed-by: Andras Timar <andras.ti...@collabora.com> diff --git a/download.lst b/download.lst index 4668fc931810..0871634bf595 100644 --- a/download.lst +++ b/download.lst @@ -203,8 +203,8 @@ export MYTHES_SHA256SUM := 1e81f395d8c851c3e4e75b568e20fa2fa549354e75ab397f9de4b export MYTHES_TARBALL := a8c2c5b8f09e7ede322d5c602ff6a4b6-mythes-1.2.4.tar.gz export NEON_SHA256SUM := db0bd8cdec329b48f53a6f00199c92d5ba40b0f015b153718d1b15d3d967fbca export NEON_TARBALL := neon-0.30.2.tar.gz -export NSS_SHA256SUM := 861a4510b7c21516f49a4cfa5b871aa796e4e1ef2dfe949091970e56f9d60cdf -export NSS_TARBALL := nss-3.53-with-nspr-4.25.tar.gz +export NSS_SHA256SUM := ec6032d78663c6ef90b4b83eb552dedf721d2bce208cec3bf527b8f637db7e45 +export NSS_TARBALL := nss-3.55-with-nspr-4.27.tar.gz export ODFGEN_SHA256SUM := 2c7b21892f84a4c67546f84611eccdad6259875c971e98ddb027da66ea0ac9c2 export ODFGEN_VERSION_MICRO := 6 export ODFGEN_TARBALL := libodfgen-0.1.$(ODFGEN_VERSION_MICRO).tar.bz2 diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk index 92902b2da6bf..8fa1edd530cc 100644 --- a/external/nss/UnpackedTarball_nss.mk +++ b/external/nss/UnpackedTarball_nss.mk @@ -21,7 +21,9 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\ external/nss/clang-cl.patch.0 \ external/nss/nss.vs2015.patch \ external/nss/nss.vs2015.pdb.patch \ - external/nss/nss.nspr-parallel-win-debug_build.patch \ + external/nss/nss.bzmozilla1238154.patch \ + external/nss/nss-bz1646594.patch.1 \ + external/nss/macos-dlopen.patch.0 \ $(if $(filter iOS,$(OS)), \ external/nss/nss-ios.patch) \ $(if $(filter ANDROID,$(OS)), \ diff --git a/external/nss/macos-dlopen.patch.0 b/external/nss/macos-dlopen.patch.0 new file mode 100644 index 000000000000..1889b8df7cd3 --- /dev/null +++ b/external/nss/macos-dlopen.patch.0 @@ -0,0 +1,25 @@ +--- nspr/pr/src/linking/prlink.c ++++ nspr/pr/src/linking/prlink.c +@@ -799,7 +799,7 @@ + * The reason is that DARWIN's dlopen ignores the provided path + * and checks for the plain filename in DYLD_LIBRARY_PATH, + * which could load an unexpected version of a library. */ +- if (strchr(name, PR_DIRECTORY_SEPARATOR) == NULL) { ++ if (strchr(name, PR_DIRECTORY_SEPARATOR) == NULL || strncmp(name, "@loader_path/", 13) == 0) { + /* no slash, allow to load from any location */ + okToLoad = PR_TRUE; + } else { +--- nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c ++++ nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c +@@ -224,7 +224,11 @@ + static PRStatus PR_CALLBACK pkix_getDecodeFunction(void) + { + pkix_decodeFunc.smimeLib = ++#if defined DARWIN ++ PR_LoadLibrary("@loader_path/" SHLIB_PREFIX"smime3."SHLIB_SUFFIX); ++#else + PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX); ++#endif + if (pkix_decodeFunc.smimeLib == NULL) { + return PR_FAILURE; + } diff --git a/external/nss/nss-android.patch.1 b/external/nss/nss-android.patch.1 index c45a8b892391..9b120d63ab8c 100644 --- a/external/nss/nss-android.patch.1 +++ b/external/nss/nss-android.patch.1 @@ -57,6 +57,17 @@ diff -ur nss.org/nss/Makefile nss/nss/Makefile install_nspr: build_nspr $(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install +--- nss/nss/lib/ckfw/builtins/manifest.mn 2019-11-26 15:18:22.185985193 +0100 ++++ nss/nss/lib/ckfw/builtins/manifest.mn 2020-08-18 18:04:29.151889733 +0300 +@@ -5,7 +5,7 @@ + + CORE_DEPTH = ../../.. + +-DIRS = . testlib ++DIRS = + + testlib: . + diff -ur nss/nss/coreconf/arch.mk nss/nss/coreconf/arch.mk --- nss/nss/coreconf/arch.mk 2019-11-01 10:29:44.933245745 +0100 +++ nss/nss/coreconf/arch.mk 2019-11-01 10:32:04.347181076 +0100 @@ -77,14 +88,3 @@ diff -ur nss/nss/coreconf/arch.mk nss/nss/coreconf/arch.mk OS_ARCH = Android ifndef OS_TARGET_RELEASE OS_TARGET_RELEASE := 8 ---- nss-3.47.1/nss/lib/ckfw/builtins/manifest.mn 2019-11-19 20:55:30.000000000 +0100 -+++ nss-3.45/nss/lib/ckfw/builtins/manifest.mn 2019-07-05 18:02:31.000000000 +0200 -@@ -5,8 +5,6 @@ - - CORE_DEPTH = ../../.. - --DIRS = testlib -- - MODULE = nss - MAPFILE = $(OBJDIR)/nssckbi.def - diff --git a/external/nss/nss-bz1646594.patch.1 b/external/nss/nss-bz1646594.patch.1 new file mode 100644 index 000000000000..60a78cecb69c --- /dev/null +++ b/external/nss/nss-bz1646594.patch.1 @@ -0,0 +1,16 @@ +regression from https://bugzilla.mozilla.org/show_bug.cgi?id=1646594 + +--- nss/nss/coreconf/arch.mk.orig2 2020-08-18 14:33:21.295252404 +0200 ++++ nss/nss/coreconf/arch.mk 2020-08-18 14:33:46.360320806 +0200 +@@ -116,8 +116,10 @@ + OS_RELEASE := $(word 1,$(OS_RELEASE)).$(word 2,$(OS_RELEASE)) + endif + KERNEL = Linux ++ifneq ($(OS_TARGET),Android) + include $(CORE_DEPTH)/coreconf/Linux.mk + endif ++endif + + # Since all uses of OS_ARCH that follow affect only userland, we can + # merge other Glibc systems with Linux here. + diff --git a/external/nss/nss.bzmozilla1238154.patch b/external/nss/nss.bzmozilla1238154.patch new file mode 100644 index 000000000000..468ff810b9ca --- /dev/null +++ b/external/nss/nss.bzmozilla1238154.patch @@ -0,0 +1,12 @@ +diff -ru a/nspr/configure b/nspr/configure +--- a/a/nspr/configure 2019-01-26 12:23:06.589389910 +0100 ++++ b/b/nspr/configure 2019-01-26 12:26:56.566222293 +0100 +@@ -7127,7 +7127,7 @@ + + # Determine compiler version + +- _MSVC_VER_FILTER='s|.* \([0-9]\+\.[0-9]\+\.[0-9]\+\(\.[0-9]\+\)\?\).*|\1|p' ++ _MSVC_VER_FILTER='s|.*[^!-~]\([0-9]\+\.[0-9]\+\.[0-9]\+\(\.[0-9]\+\)\?\).*|\1|p' + + CC_VERSION=`${CC} -v 2>&1 | sed -ne "$_MSVC_VER_FILTER"` + if test -z "$CC_VERSION"; then diff --git a/external/nss/nss.nspr-parallel-win-debug_build.patch b/external/nss/nss.nspr-parallel-win-debug_build.patch deleted file mode 100644 index 86b55e1ccf7f..000000000000 --- a/external/nss/nss.nspr-parallel-win-debug_build.patch +++ /dev/null @@ -1,40 +0,0 @@ -Änderung: 4866:23940b78e965 -Nutzer: Jan-Marek Glogowski <glo...@fbihome.de> -Datum: Fri May 01 22:50:55 2020 +0000 -Dateien: pr/tests/Makefile.in -Beschreibung: -Bug 290526 Write separate PDBs for test OBJs r=glandium - -Quite often when running a parallel NSS build, I get the following -compiler error message, resulting in a build failure, despite -compiling with the -FS flag: - -.../nss/nspr/pr/tests/zerolen.c: fatal error C1041: -Programmdatenbank "...\nss\nspr\out\pr\tests\vc140.pdb" kann nicht -ge<94>ffnet werden; verwenden Sie /FS, wenn mehrere CL.EXE in -dieselbe .PDB-Datei schreiben. - -The failing source file is always one of the last test object -files. But the actual problem is not the compiler accessing the -PDB file, but the linker already linking the first test -executables accessing the shared PDB; at least that's my guess. - -So instead of using a shared PDB for all test object files, this -uses -Fd$(@:.$(OBJ_SUFFIX)=.pdb) to write a separate PDB for every -test's object file. The linker works fine with the shared OBJ PDB. - -Differential Revision: https://phabricator.services.mozilla.com/D68693 - - -diff -r 219d131499d5 -r 23940b78e965 nss/nspr/pr/tests/Makefile.in ---- a/nss/nspr/pr/tests/Makefile.in Mon Feb 10 20:58:42 2020 +0000 -+++ b/nss/nspr/pr/tests/Makefile.in Fri May 01 22:50:55 2020 +0000 -@@ -211,6 +211,7 @@ - else - EXTRA_LIBS += ws2_32.lib - LDOPTS = -NOLOGO -DEBUG -DEBUGTYPE:CV -INCREMENTAL:NO -+ CFLAGS += -Fd$(@:.$(OBJ_SUFFIX)=.pdb) - ifdef PROFILE - LDOPTS += -PROFILE -MAP - endif # profile - _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits